Oct 6, 2016 - translation from PHP with embedded SQL commands into SmpSL of code .... Here we introduce our programming language and our verification ...
On the automated verification of web applications with embedded SQL Shachar Itzhaky1 , Tomer Kotek2 , Noam Rinetzky3 , Mooly Sagiv3 , Orr Tamir3 , Helmut Veith2 , and Florian Zuleger2 1 2 3
Massachusetts Institute of Technology Vienna University of Technology Tel Aviv University
arXiv:1610.02101v1 [cs.LO] 6 Oct 2016
Abstract A large number of web applications is based on a relational database together with a program, typically a script, that enables the user to interact with the database through embedded SQL queries and commands. In this paper, we introduce a method for formal automated verification of such systems which connects database theory to mainstream program analysis. We identify a fragment of SQL which captures the behavior of the queries in our case studies, is algorithmically decidable, and facilitates the construction of weakest preconditions. Thus, we can integrate the analysis of SQL queries into a program analysis tool chain. To this end, we implement a new decision procedure for the SQL fragment that we introduce. We demonstrate practical applicability of our results with three case studies, a web administrator, a simple firewall, and a conference management system. 1998 ACM Subject Classification D.3.2 Database Management Languages, F.3.1 Specifying and Verifying and Reasoning about Programs Keywords and phrases SQL; Scripting language; Web services; Program verification; Twovariable fragment of First Order logic; Decidability; Reasoning Digital Object Identifier 10.4230/LIPIcs.xxx.yyy.p
1
Introduction
Web applications are often written in a scripting language such as PHP and store their data in a relational database which they access using SQL queries and data-manipulating commands [36]. This combination facilitates fast development of web applications, which exploit the reliability and efficiency of the underlying database engine and use the flexibility of the script language to interact with the user. While the database engine is typically a mature software product with few if any severe errors, the script with the embedded SQL statements does not meet the same standards of quality. With a few exceptions (such as [15, 19]) the systematic analysis of programs with embedded-SQL statements has been a blind spot in both the database and the computeraided verification community. The verification community has mostly studied the analysis of programs which fall into two classes: programs with (i) numeric variables and complex control structure, (ii) complex pointer structures and objects; however, the modeling of data and their relationships has not received the same attention. Research in the database community on the other hand has traditionally focused on correct design of databases rather than correct use of databases. This paper lays the ground for an interdisciplinary methodology which extends the realm of program analysis to programs with embedded SQL. Since the seminal papers of Hoare, the © Shachar Itzhaky, Tomer Kotek, Noam Rinetzky, Mooly Sagiv, Orr Tamir, Helmut Veith, and Florian Zuleger; licensed under Creative Commons License CC-BY Conference title on which this volume is based on. Editors: Billy Editor and Bill Editors; pp. 1–25 Leibniz International Proceedings in Informatics Schloss Dagstuhl – Leibniz-Zentrum für Informatik, Dagstuhl Publishing, Germany
2
On the automated verification of web applications with embedded SQL
first step for developing program analysis techniques is a precise mathematical framework for defining programming semantics and correctness. In this paper we develop a Hoare logic for a practically useful but simple fragment of SQL, called SmpSQL, and a simple scripting language, called SmpSL, which has access to SmpSQL statements. Specifically, we describe a decidable logic for formulating specifications and develop a weakest precondition calculus for SmpSL programs; thus our Hoare logic allows to automatically discharge verification conditions. When analyzing SmpSL programs, we treat SQL as a black box library whose semantics is given by database theory. Thus we achieve verification results relative to the correctness of the underlying database engine. We recall from Codd’s theorem [13] that the core of SQL is equivalent in expressive power to first-order logic FO. Thus, it follows from Trakhtenbrot’s theorem [34] that it is undecidable whether an SQL query guarantees a given post condition. We have therefore chosen our SQL fragment SmpSQL such that it captures an interesting class of SQL commands, but corresponds to a decidable fragment of first-order logic, namely FO2BD , the restriction of first-order logic in which all variables aside from two range over fixed finite domains called bounded domains. The decidability of the finite satisfiability problem of FO2BD follows from that of FO2 , the fragment of first-order logic which uses only two variables. Although the decidability of FO2 was shown by Mortimer [29] and a complexity-wise tight decision procedure was later described by Grädel, Kolaitis and Vardi [21], we provide the first efficient implementation of finite satisfiability of FO2 . We illustrate our methodology on the example of a simple web administration tool based on [22]. The PANDA web administrator is a simple public domain web administration tool written in PHP. We describe in Section 2 how the core mailing-list administration functionality falls into the scope of SmpSL. We formulate a specification consisting of a database invariant and pre- and postconditions. Our framework allows us to automatically check the correctness of such specifications using our own FO2BD reasoning tool.
Main contributions 1. We define SmpSQL, an SQL fragment which is contained in FO2BD . 2. We define a a simple imperative script language SmpSL with embedded SmpSQL statements. 3. We give a construction for weakest preconditions in FO2BD for SmpSL. 4. We implemented the weakest precondition computation for SmpSL. 5. We implemented a decision procedure for FO2BD . The procedure is based on the decidability and NEXPTIME completeness result for FO2 by [21], but we use a more involved algorithm which reduces the problem to a SAT solver and is optimized for performance. We evaluate our methodology on three applications: a web administrator, a simple firewall, and a conference management system. We compared our tool with Z3 [14], currently the most advanced general-purpose SMT solver with (limited) support for quantifiers. In general, our tool performs better than Z3 in several examples for checking the validity of verification conditions of SmpSL programs. However, our tool and Z3 have complementary advantages: Z3 does well for unsatisfiable instances while our tool performs better on satisfiable instances. We performed large experiments with custom-made blown up versions of the web administrator and the firewall examples, which suggest that our tool scales well. Moreover, we tested the scalability of our approach by comparing of our underlying FO2 solver with three solvers on a set of benchmarks we assembled inspired by combinatorial problems. The solvers we tested against are Z3, the SMT solver CVC4 [3], and the model checker Nitpick [7]. Our solver outperformed each of these solvers on some of the benchmarks.
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
2
Running Example
We introduce our approach on the example of a simple web service. The example is a translation from PHP with embedded SQL commands into SmpSL of code excerpts from the Panda web-administrator. The web service provides several services implemented in dedicated functions for subscribing a user to a newsletter, deleting a newsletter, making a user an admin of a newsletter, sending emails to all subscribed users of a newsletter, etc. We illustrate our verification methodology by exposing an error in the Panda web-administrator. The verification methodology we envision in this paper consists of (1) maintaining database invariants and (2) verifying a contract specification for each function of the web service. The database contains several tables including NS = NewsletterSubscription with attributes nwl, user, subscribed and code. The database is a structure whose universe is partitioned into three sets: domU , boolB , and codesB . The attributes nwl and user range over the finite set domU , the attribute subscribed ranges over boolB = {true, false}, and the attribute code ranges over the fixed finite set codesB . The superscripts in domU , boolB , and codesB serve to indicate that the domain domU is unbounded, while the Boolean domain and the domain of codes are bounded (i.e. of fixed finite size). When s = true, (n, u, s, c) ∈ NS signifies that the user u is subscribed to the newsletter n. The process of being (un)subscribed from/to a newsletter requires an intermediary confirmation step in which the confirm code c plays a role. Figure 1 provides the functions subscribe, unsubscribe, and confirm translated manually into SmpSL. 1 The comments in quotations // “. . .” originate from the PHP source code. The intended use of these functions is as follows: In order to subscribe a user u to a newsletter n, the function subscribe is called with inputs n and u (for example by a web interface operated by the newsletter admin or by the user). subscribe stores the tuple (n, u, false, new_code) in NS, where new_code is a confirmation code which does not occur in the database, and an email containing a confirmation URL is sent to the user u. Visiting the URL triggers a call to confirm with input new_code, which subscribes u to n by replacing the tuple (n, u, false, new_code) of NS to with (n, u, true, nil). For unsubscribe the process is similar, and crucially, unsubscribe uses the same confirm function. confirm decides whether to subscribe or unsubscribe according to whether n is currently subscribed to u. The CHOOSE command selects one row non-deterministically. The database preserves the invariant � � W Inv = ∀d x, y. ∀b s1 , s2 . ∀c c1 , c2 . (s1 = s2 ∧ c1 = c2 ) ∨ i=1,2 ¬NS(x, y, si , ci ) (1) Inv says that the pair (n, u) of newsletter and user is a key of the relation NS. The subscripts of the quantifiers denote the domains over which the quantified variables range. In our verification methodology we add invariants as additional conjuncts to the pre- and postconditions of every function. In this way invariants strengthen the pre-conditions and can be used to prove the post-conditions of the functions. On the other hand, the post-conditions require to re-establish the validity of the invariants. Figure 2 provides pre- and post-conditions pref and postf for each of the three functions f. The relation names d, b, and c are interpreted as the sets domU , boolB , and codesB , respectively. Proving correctness amounts to proving the correctness of each of the Hoare triples {pref ∧ Inv} f {postf ∧ Inv}. Each Hoare triple specifies a contract: after every 1
The reader may wish to compare the SmpSL implementation of confirm to the PHP implementation in PANDA, provided in Appendix A.1.
3
4
On the automated verification of web applications with embedded SQL
subscribe(n,u): A = SELECT * FROM NS WHERE user = u AND nwl = n; if (A != empty) exit; // "This address is already registered to this newsletter." INSERT (n,u,false,new_code) INTO NS; // Send confirmation email to u unsubscribe(n,u): A = SELECT * FROM NS if (A = empty) exit; UPDATE NS SET code = // Send confirmation
WHERE user = u AND nwl = n; // "This address is not registered to this newsletter." new_code WHERE user = u AND nwl = n email to u
confirm(cd): A = SELECT subscribe FROM NS WHERE code = cd; if (A = empty) exit; //"No such code" s1 = CHOOSE A; if (s1 = false) UPDATE NS SET subscribed = true, code = nil WHERE code = cd else DELETE FROM NS WHERE code = cd;
Figure 1 Running Example: SmpSL code.
execution of f, the condition postf ∧ Inv should be satisfied if pref ∧ Inv was satisfied before executing f. presubscribe and preunsubscribe express that new_code is an unused non-nil code and that NS gh is equal to NS. NS gh is a ghost table, used in the post-conditions to relate the state before the execution of the function to the state after the execution. NS gh does not occur in the functions and is not modified. postsubscribe and postunsubscribe express that NS is obtained from NS gh by inserting or updating a row satisfying user = u AND nwl = n whenever the exit command is not executed. The intended behavior of confirm depends on which function created cd. preconfirm introduces a Boolean ghost variable subgh whose value is true (respectively false) if cd was generated as a new code in subscribe (respectively unsubscribe). subgh does not occur in confirm. postconfirm express that, when subgh is true, NS is obtained from NS by toggling the value of the column subscribed from false to true in the NS gh row whose confirm code is cd; when subgh is false, NS is obtained from NS gh by deleting the row with confirm code cd. Let us now describe the error which prevents confirm from satisfying its specification. Consider the following scenario. First, subscribe is called and then unsubscribe, both with the same input n and u. Two confirm codes are created: cs by subscribe and cu by unsubscribe. At this point, NS contains a single row for the newsletter n and user u namely (n, u, false, cu ). The user receives two confirmation emails containing the codes cs and cu . Clicking on the confirmation URL for cs (i.e. running confirm(cs )) has no effect since cs does not occur in the database. However, clicking on the confirmation URL for cs results in subscribing u to n. This is an error, since confirming a code created in unsubscribe should not lead to a subscription. Our tool automatically checks whether the program satisfies its specification. If not, the programmer or verification engineer may try to refine the specification to adhere more closely to the intended behavior (e.g. by adding an invariant). In this case, the program is in fact incorrect, so no meaningful correct specification can be written for it. In Section 3.3 we describe a weakest-precondition calculus wp[[·]] which allows us to automatically derive the weakest precondition for a post-condition with regard to a SmpSL program. For our example functions f, wp[[·]] allows us to automatically derive wp[[f]]postf . The basic property of the weakest precondition is that postf holds after f has executed iff wp[[f]]postf held immediately at the start of the execution. It then remains to show that the pre-condition pref implies wp[[f]]postf . This amounts to checking the validity of the
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
preg good-code(c0 ) postg ϕsubscribe,1 ϕsubscribe,2
= = = = =
ϕunsubscribe,1 ϕunsubscribe,2
= =
NS = NS gh ∧ good-code(new_code) c(c0 ) ∧ (c0 6= nil) ∧ ∀d x, y. ∀b s. ¬NS(x, y, s, c0 ) ∀d x, y. ∀b s. ∀c c. NS(x, y, s, c) ↔ (ϕg,1 ∨ ϕg,2 ) NS gh (x, y, s, c) (n = x) ∧ (u = y) ∧ (s = false) ∧ (c = new_code) ∧¬∃b s0 . ∃c c0 . NS gh (n, u, s0 , c0 ) (n 6= x) ∧ (u 6= y) ∧ NS gh (x, y, s, c) (n = x) ∧ (u = y) ∧ (c = new_code) ∧ ∃c c0 . NS gh (n, u, s, c0 )
preconfirm postconfirm ψfalse ψtrue
= = = =
NS V = NS gh ∧ b(subgh ) subgh = tt → (∀d x, y. ∀b s. ∀c c. NS(x, y, s, c) ↔ ψtt ) tt∈b cd 6= c ∧ NS gh (x, y, s, c) cd 6= c ∧ NS gh (x, y, s, c) ∨ (c = nil ∧ s = true ∧ NS gh (x, y, false, cd))
Figure 2 Running Example: Pre- and post-conditions. g is either subscribe or unsubscribe.
verification conditions VC f = pref → wp[[f]]postf . Our reasoner for FO2 sentences is the back-end for our verification tool. The specification in this example is all in FO2BD . The weakest precondition of a SmpSL program applied to a FO2BD sentence gives again a FO2BD sentence. Hence VC f are all in FO2BD . Automatically deciding the validity of FO2BD sentences using our FO2 decision procedure is described in Section 4. Recall that codesB is of fixed finite size. Here |codesB | = 3 is sufficient to detect the error. Observe that the same confirm code may be reused once it is replaced with nil in confirm, so the size of the database is unbounded. The size of codesB must be chosen manually when applying our automatic tool. A simple way to correct the error in confirm is by adding subgh as a second argument of confirm and replacing if (s1 = false) · · · with if (subgh = false) · · · . Since s1 is no longer used, the CHOOSE command can be deleted. The value of subgh received by confirm is set correctly by subscribe and unsubscribe. With these changes, the error is fixed and confirm satisfies its specification. In the scenario from above, the call to confirm with cs and subgh = true leaves the database unchanged, while the call to confirm with cu and subgh = false deletes the row (n, u, false, cu ).
3
Verification of SmpSL Programs
Here we introduce our programming language and our verification methodology. We introduce the SQL fragment SmpSQL in Section 3.1 and the scripting language SmpSL in Section 3.2. In Section 3.3 we explain the weakest precondition transformer of SmpSL, and we show how discharging verification conditions of FO2BD specification reduces to reasoning in FO2 .
3.1 3.1.1
The SQL fragment SmpSQL Data model of SmpSQL
The data model of SmpSQL is based on the presentation of the relational model in Chapter 3.1 B of [2]. We assume finite sets of domB 1 , . . . , doms called the bounded domains and an infinite U set dom called the unbounded domain. The domains are disjoint. We assume three disjoint countably infinite sets: the set of attributes att, the set of relation names relnames, and the B set of variables SQLvars. We assume a function sort : att → {domU , domB 1 , . . . , doms }.
5
6
On the automated verification of web applications with embedded SQL
A table or a relation schema is a relation name and a finite sequence of attributes. The attributes are the names of the columns of the table. The arity ar(R) of a relation schema R is the number of its attributes. A database schema is a non-empty finite set of tables. A database instance I of a database schema R is a many-sorted structure with finite domains dom0 ⊆ domU and domj = domB j for 1 ≤ j ≤ s. We denote by sortI the function obtained from sort by setting sortI (att) = dom0 whenever sort(att) = domU . The relation schema R = (relname, att 1 , . . . , att e ) is interpreted in I as a relation RI ⊆ sortI (att 1 ) × · · · × sortI (att e ). A row is a tuple in a relation RI . A database schema R is valid for SmpSQL if for all relation schemas R with attributes att 1 , . . . , att e in R, there are at most two attributes att j for which sort(att j ) = domU . In the sequel we assume that all database schemas are valid. The SmpSQL commands will be allowed to use variables from SQLvars. We denote members of SQLvars by p, p1 , etc.
3.1.2
Queries in SmpSQL
Given a relation schema R and attributes att1 , . . . , attn of R, the syntax of SELECT is: hSelecti ::= SELECT atta1 , . . . , attai FROM R WHERE hConditioni hConditioni ::= attb1 , . . . , attbj IN hSelecti | hConditioni AND hConditioni | hConditioni OR hConditioni | NOT hConditioni | attm = p where p is a variable and 1 ≤ m, a1 , . . . , ai , b1 , . . . , bj ≤ n. The semantics of hSelecti is the set of tuples from the projection of R on atta1 , . . . , attai which satisfy hConditioni. The condition attm = p indicates that the set of rows of R in which the attribute att m has value p is selected. The condition attb1 , . . . , attbi IN hSelecti selects the set of rows of R in which att b1 , . . . , attbi are mapped to one of the tuples queried in the nested query hSelecti.
3.1.3
Data-manipulating commands in SmpSQL
SmpSQL supports the three primitive commands INSERT, UPDATE, and DELETE. Let R be a relation schema with attributes att1 , . . . , attn . Let p, p1 , . . . , pn be variables from SQLvars. The syntax of the primitive commands is: hInserti ::= INSERT (p1 , . . . , pn ) INTO R hUpdatei ::= UPDATE R SET attm = p WHERE hConditioni hDeletei ::= DELETE FROM R WHERE hConditioni The semantics of INSERT, UPDATE and DELETE is given in the natural way. We allow update commands which set several attributes simultaneously. We assume that the data manipulating commands are used in a domain-correctness fashion, i.e. INSERT and UPDATE may only assign values from sort(att k ) to any attribute att k .
3.2 3.2.1
The script language SmpSL Data model of SmpSL
The data model of SmpSL extends that of SmpSQL with constant names and additional relation schemas. We assume a countably infinite set of constant names connames, which B is disjoint from att, domU , domB 1 , . . . , doms , relnames but contains SQLvars. A state schema is a database schema R expanded with a tuple of constant names const. A state interprets a state schema. It consists of a database instance I expanded with a tuple
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger I
of universe elements const interpreting const. In programs, the constant names play the role of local variables, domain constants (e.g. true and true) and of inputs to the program2 .
3.2.2
SmpSL programs
The syntax of SmpSL is given by hProgrami ::= hCommandi | hProgrami ; hCommandi hCommandi ::= hInserti | hUpdatei | hDeletei | R = hSelecti | ¯ d = CHOOSE R | if (cond) hProgrami else hProgrami | if (cond) exit Every data-manipulating command C of SmpSQL is a SmpSL command. The semantics of C in SmpSL is the same as in SmpSQL, with the caveat that the variables receive their values from their interpretations (as constant names) in the state, and C is only legal if all the variables of C indeed appear in the state schema as constant names. The command R = hSelecti assigns the result of a SmpSQL query to a relation schema R ∈ R whose arity and attribute sorts match the select query. Executing the command in a I state (I, const ) sets RI to the relation selected by S, leaving the interpretation of all other names unchanged. The variables in the query receive their values from their interpretations in the state, and for the command to be legal, all variables in the query must appear in the state schema as constant names. Given a relation schema R ∈ R with attributes att1 , . . . , attn and a tuple d¯ = (d1 , . . . , dn ) ¯ = CHOOSE R is a SmpSL command. If RI is empty, the of constant names from const, d command has no effect. If RI is not empty, executing this command sets (dI1 , . . . , dIn ) to the value of a non-deterministically selected row from RI . The branching commands have the natural semantics. Two types of branching conditions cond are allowed: (R = empty) and (R != empty), which check whether RI is the empty set, and (c1 = c2 ) and (c1 ! = c2 ), which check whether cI1 = cI2 . See Fig. 1 for examples of SmpSL programs.
3.3 3.3.1
Verification of SmpSL programs SQL and FO
It is well-established that a core part of SQL is captured by FO by Codd’s classical theorem relating the expressive power of relational algebra to relational calculus. While SQL goes beyond FO in several aspects, such as aggregation, grouping, and arithmetic operations (see [27]), these aspects are not allowed in SmpSQL. Hence, FO is especially suited for reasoning about SmpSQL and SmpSL. The notions of state schema and state fit naturally in the syntax and semantics of FO. In the sequel, a vocabulary is a tuple of relation names and constant names. For a FO-formula ψ, we write voc(ψ) for the vocabulary consisting of the relation names and constant names I in ψ. Every state schema R is a vocabulary. A state (I,� const ) interpreting a state schema R and a tuple of constant names const is an R, const -structure.
7
8
On the automated verification of web applications with embedded SQL
[[atti = c]]R [[attb1 , . . . , attbj IN S1 ]]R [[cond1 AND cond2 ]]R [[cond1 OR cond2 ]]R [[NOT cond1 ]]R
= b = b = b = b = b
vi = c [[S1 ]][vbk /vk : 1 ≤ k ≤ j] [[cond 1 ]]R ∧ [[cond 2 ]]R [[cond 1 ]]R ∨ [[cond 2 ]]R ¬[[cond 1 ]]R
[[SELECT atta1 , . . . , attai FROM R WHERE cond]] = b (∃vai+1 , . . . , van R(¯v ) ∧ [[cond]]R )[v` /va` : 1 ≤ ` ≤ i] where {a1 , . . . , an } = {1, . . . , n} wp[[INSERT (c1 , . . . , cn ) INTO R]]Q wp[[DELETE FROM R WHERE cond]]Q wp[[UPDATE R SET attj = c WHERE cond]]Q
= b = b = b
�
Vn
�
�
Q R(α) ¯ � ¯ ∨ i=1 αiR= ci R(α) � � Q R(α) ¯ ∧ ¬[[cond]] [αi /vi : 1 ≤ i ≤ n] R(α) ¯ � Q R(α) ¯ ∧ ¬[[cond]]R [αi /vi : 1 ≤ i ≤ n] ∨ ∃vj R(αj ) ∧ [[cond]]R [αij /vi : 1 ≤ i ≤ n] ∧ � αj = �c R(α) ¯
Figure 3 Rules for weakest precondition for SmpSQL basic commands. We denote by R a relation schema with attributes hatt1 , . . . , attn i. We write αij for αi if i 6= j, and for vi if i = j. We j denote �v¯ = (v1 , .�. . , vn �), α ¯ = (α1 , . . . , αn ), and αj = (α1j , . . . , αn ). Note that each of the last three rows Q expr(α) R(α) ¯ substitutes every occurrence of R with an updated expression expr.
3.3.2
Hoare verification of SmpSL programs and weakest precondition
Hoare logic is a standard program verification methodology [23]. Let P be a SmpSL program and let ϕpre and ϕpost be FO-sentences. A Hoare triple is of the form {ϕpre }P {ϕpost }. A Hoare triple is a contract relating the state before the program is run with the state afterward. The goal of the verification process is to prove that the contract is correct. Our method of proving that a Hoare triple is valid reduces the problem to that of finite satisfiability of a FO-sentence. We compute the weakest precondition wp[[P ]]ϕpost of ϕpost with respect to the program P . The weakest precondition transformer was introduced in Dijkstra’s classic paper [17], c.f. [24]. Let AP denote the state after executing P on the initial state A. The main property of the weakest precondition is: AP |= ϕpost iff A |= wp[[P ]]ϕpost . Using wp[[·]] we can rephrase the problem of whether the Hoare triple {ϕpre }P {ϕpost } is valid in terms of FO reasoning on finite structures: Is the FO-sentence ϕpre → wp[[P ]]ϕpost a tautology? Equivalently, is the FO-sentence ϕpre ∧ ¬wp[[P ]]ϕpost unsatisfiable? Section 3.3.3 discusses the resulting FO reasoning task. We describe the computation of the weakest precondition inductively for SmpSQL and SmpSL. The weakest precondition for SmpSQL is given in Fig. 3, and for SmpSL in Fig. 4. For SmpSQL conditions, [[·]]R is a formula with n free first-order variables v1 , . . . , vn for a conditional expression in the context of relation schema R of arity n. [[SELECT · · · FROM R · · · ]] is also a formula with free variables v1 , . . . , vn describing the rows selected by the SELECT query. The rules wp[[s]]Q transform a (closed) formula Q, which is a postcondition of the command s, into a (closed) formula expressing the weakest precondition. The notation ψ[t/v] indicates substitution of all free occurrences of the variable v in ψ by the term t. � The notation ψ θ(α1 , . . . , αn )/R(α1 , . . . , αn )] indicates that any atomic sub-formula of ψ of the form R(α1 , . . . , αn ) (for any α1 , . . . , αn ) is replaced by θ(α1 , . . . , αn ) (with the same α1 , . . . , αn ). The formula θ(v1 , . . . , vn ) has n free variables, and θ(α1 , . . . , αn ) is obtained by
2
We deviate from [2] in the treatment of constants in that we do not assume that constant names are always interpreted as distinct members of domU . This is so since several program variables or inputs can have the same value.
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
[[c1 = c2 ]] [[c1 != c2 ]] [[R ! = empty]] [[R= empty]]
= b = b = b = b
c1 = c2 c1 6= c2 ∃v1 , . . . , vn R(v1 , . . . , vn ) ¬∃v1 , . . . , vn R(v1 , . . . , vn )
wp[[R = SELECT · · · ]]Q wp[[(d1 , . . . , dn ) = CHOOSE R]]Q wp[[if cond s1 else s2 ]]Q
= b = b = b
�
�
�
Q [[SELECT · · · ]](α1 , . . . , αn ) R(α1 , . . . , αn ) � ∀u1 , . . . , un R(u1 , . . . , un ) → Q[ui /di : 1 ≤ i ≤ n] (¬[[cond]] ∧ wp[[s2 ]]Q) ∨ ([[cond]] ∧ wp[[s1 ]]Q)
Figure 4 Rules for weakest precondition construction for SmpSL basic commands. The weakest precondition of if cond exit; s2 is the same as that of if !cond s2 .
substituting each vi into αi . The αi may be variables or constant names. The weakest precondition of a SmpSL program is obtained by applying the weakest precondition of its commands.
3.3.3
The specification logic FO2BD and decidability of verification
As discussed in Section 3.3.2, using the weakest precondition, the problem of verifying Hoare triples can be reduced to the problem of checking satisfiability of a FO-sentence by a finite structure. While this problem is not decidable in general by Trakhtenbrot’s theorem, it is decidable for a fragment of FO we denote FO2BD , which extends the classical two-variable fragment FO2 . The logic FO2 is the set of all FO formulas which use only variables the variables x and y. The vocabularies of FO2 -sentences are not allowed function names, only relation and constanst names. Note FO2 cannot express that a relation name is interpreted as a function. FO2 contains the equality symbol =. FO2BD extends FO2 by allowing quantification on an unbounded number of variables, under the restriction that all variables besides from x and y range over the bounded domains only. FO2BD is the language of our invariants and pre- and postconditions, see Eq. (1) and Fig. 2 in Section 2. An important property of FO2BD is that it is essentially closed under taking weakest precondition according to Figs. 3 and 4 since all relation schemas in a (valid) database schema have at most 2 attributes whose sort is domU . We reduce the task of reasoning over FO2BD to reasoning over FO2 . I Theorem 1. Let {ϕpre }P {ϕpost } be a Hoare triple such that both ϕpre and ϕpost belong to FO2BD . The problem of deciding whether {ϕpre }P {ϕpost } is valid is decidable. (sketch). By Section 3.3.2, {ϕpre }P {ϕpost } is valid iff θ = ¬(ϕpre ∧¬wp[[P ]]ϕpost ) is satisfiable by a finite structure. We take the simplifying assumption that in all the tables, the sort of the first and second attributes att 1 and att 2 is domU . This assumption does not effect the expressive power of SmpSL. Examination of the weakest precondition rules in Figs. 3 and 4 reveals that the only variables ranging over the unbounded domain are v1 and v2 . Let θ0 be the FO2BD sentence obtained from θ by substituting v1 and v2 with x and y respectively, and restricting the range of the quantifiers appropriately: for a command manipulating or querying a table R with attributes att 1 , . . . , att n in Figs. 3 and 4, each quantifier ∀vk or ∃vk is replaced with ∀sort(att k ) vk or ∃sort(att k ) vk . We compute an FO2 sentence θ00 which is equivalent to θ0 by hard-coding the bounded domains. Every table T which contains an attribute att with sort(att) = domB j of size d is replaced with d tables T1 , . . . , Td which do not have the attribute att. This change is reflected in θ00 , e.g. existential quantification is replaced with disjunction. By the decidability of finite satisfiability of FO2 -sentences, we get that the problem of deciding whether {ϕpre }P {ϕpost } is valid is decidable. J
9
10
On the automated verification of web applications with embedded SQL
4 4.1
FO2 Reasoning The bounded model property of FO2
Section 4 is devoted to our algorithm for FO2 finite satisfiability. The main ingredient for this algorithm is the bounded model property, which guarantees that if an FO2 (τ ) sentence φ over vocabulary τ is satisfiable by any τ -structure – finite or infinite – it is satisfiable by a finite τ -structure whose cardinality is bounded by a computable function of φ. The bound guaranteed in the first decidability proof of the finite satisfiability problem by Mortimer [29] was doubly exponential in the size of the formula. Later, Grädel, Kolaitis and Vardi [21] proved the exponential model property, from which we get that the problem is NEXPTIMEcomplete. The naive NEXPTIME algorithm arising from the exponential model property amounts to computing the exponential bound bnd(φ) from [21], non-deterministically guessing t ≤ bnd(φ) and a τ -structure A with universe {1, . . . , t}, checking whether A satisfies φ, and answering accordingly. Since the truth-value of FO-sentences is invariant to τ -isomorphisms, a τ -structure of cardinality at most bnd(φ) satisfies φ iff such a structure with universe {1, . . . , t}, t ≤ bnd(φ), satisfies φ. Appendix D.3 discusses a more refined version of the bound from [21].
4.2
Finite satisfiability using a SAT solver
Our algorithm for FO2 finite satisfiability reduces the problem of finding a satisfying model of cardinality bounded by bnd to the satisfiability of a propositional Boolean formula in Conjunctive Normal Form CNF, which is then solved using a SAT solver. The bound in [21] is given for formulas in Scott Normal Form (SNF) only. We use a refinement of SNF we call Skolemized Scott Normal Form (SSNF). The CNF formula we generate encodes the semantics of the sentence ψ on a structure whose universe cardinality is bounded by bnd. An early precursor for the use of a SAT solver for finite satsifiability is [28].
4.2.1
Skolemized Scott Normal Form
An FO2 -sentence is in Skolemized Scott Normal Form if it is of the form ! m m ^ ^ ∀x∀y α(x, y) ∧ Fi (x, y) → βi (x, y) ∧ ∀x∃y Fi (x, y) i=1
(2)
i=1
where α and βi , i = 1, . . . , m, are quantifier-free formulas which do not contain any Fj , j = 1, . . . , m. Note that Fi are relation names. I Proposition 1. Let τ be a vocabulary and φ be a FO2 (τ )-sentence. There are polynomialtime computable vocabulary σ ⊇ τ and FO2 (σ)-sentence ψ such that (a) ψ is in SSNF; (b) The set of cardinalities of the models of φ is equal to the corresponding set for ψ; and (c) The size of ψ is linear in the size of φ. Proposition 1 follows from the discussion before Proposition 3.1 in [21], by applying an additional normalization step converting SNF sentences to SSNF sentences.34 3
4
The word Skolemized is used in reference to the standard Skolemization process of eliminating existential quantifiers by introducing fresh function names called Skolem functions. In our case, since function names are not allowed in our fragment, we introduce the relation names Fi , to which we refer as Skolem relations. Moreover, we cannot eliminate the existential quantifiers entirely, but only simplify the formulas in their scope to the atoms Fi (x, y). The linear size of ψ uses our relation symbols have arity at most 2 to get rid of a log factor in [21].
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
4.2.2
The CNF formula
Given the sentence ψ in SSNF from Eq. (2) and a bound bnd(ψ), we build a CNF propositional Boolean formula Cψ which is satisfiable iff ψ is satisfiable. The formula Cψ will serve as the input to the SAT solver. First we construct a related CNF formula Bψ . The crucial property of Bψ is that it is satisfiable iff ψ is satisfiable by a model of cardinality exactly bnd(ψ). It is convenient to assume ψ does not contain constants. If ψ did contain constants c, they could be replaced by unary relations Uc of size 1. Being an unary relation of size 1 is definable in FO2 . Any atom containing c cannot use both x and y, and hence the universe member interpreting c can be quantified: e.g. R(x, c) is replaced with ∃y Uc (y) ∧ R(x, y). Let const(ψ) be the set of unary relations Uc corresponding to constants. We start by introducing the variables and clauses which guarantee that Bψ encodes a structure with the universe {1, . . . , bnd(ψ)}. Later, we will add clauses to guarantee that this structure satisfies ψ. For every unary relation name U in ψ and `1 ∈ {1, . . . , bnd(ψ)}, let vU,`1 be a propositional variable. For every binary relation name R in ψ and `1 , `2 ∈ {1, . . . , bnd(ψ)}, let vR,`1 ,`2 be a propositional variable. The variables vU,`1 and vR,`1 ,`2 encode the interpretations of the unary and binary relation names U and R in the straightforward way (defined precisely below). Let Vψ be the set of all variables vU,`1 and vR,`1 ,`2 . Given an assignment S to the variables of Vψ we define the unique structure AS as follows: 1. The universe AS of AS is {1, . . . , bnd(ψ)}; 2. An unary relation name U is interpreted as the set {`1 ∈ AS | S(vU,`1 ) = T rue}; 3. A binary relation name R is interpreted as the set {(`1 , `2 ) ∈ A2S | S(vR,`1 ,`2 ) = T rue}; For every structure A with universe {1, . . . , bnd(ψ)}, there is S such that A = AS . Before defining Bψ precisely we can already state the crucial property of Bψ : I Proposition 2. satisfiable.
ψ is satisfiable by a structure with universe {1, . . . , bnd(ψ)} iff Bψ is
The formula Bψ is the conjunction of B eq , B ∀∃ , and B ∀∀ , described in the following. The equality symbol. The equality symbol requires special attention. Let ^ ^ B eq = (¬v=,`1 ,`2 ) ∧ v=,`,` 1≤`1 6=`2 ≤m
1≤`≤m
B eq enforces that the equality symbol is interpreted correctly as the equality relation on universe elements. ∀∃ The ∀∃-conjuncts. For every conjunct ∀x∃y Fi (x, y) and 1 ≤ `1 ≤ bnd(ψ), let Bi,` be the 1 Wbnd(ψ) clause `2 =1 vFi ,`1 ,`2 . This clause says that there is at least one universe element `2 such that AS |= F (`1 , `2 ). Let ^ ^ ∀∃ B ∀∃ = Bi,` 1 1≤i≤m 1≤`1 ≤bnd(ψ)
For every truth-value assignment S to Vψ , AS satisfies
Vm
i=1
∀x∃y Fi (x, y) iff S satisfies B ∀∃ .
The ∀∀-conjunct. Let ∀x∀y α0 be the unique ∀∀-conjunct of ψ. For every 1 ≤ `1 , `2 ≤ bnd(ψ), let α`001 ,`2 denote the propositional formula obtained from the quantifier-free FO2 formula α0 by substituting every atom a with the corresponding propositional variable for `1 and `2 as follows: U (x) 7→ vU,`1 , R(y, y) 7→ vR,`2 ,`2 , R(x, x) 7→ vR,`1 ,`1 U (y) 7→ vU,`2 , R(x, y) 7→ vR,`1 ,`2 , R(y, x) 7→ vR,`2 ,`1 00 Let B`∀∀ be the Tseitin transformation of α to CNF [35], see also [6, Chapter 2]. The `1 ,`2 1 ,`2 Tseitin transformation introduces a linear number of new variables of the form uγ`1 ,`2 , one for
11
12
On the automated verification of web applications with embedded SQL
web-subscribe web-unsubscribe firewall conf-bid conf-assign conf-display
FO2 -solver
Z3
2.62s 0.779s 0.876s 0.451s 0.369s 0.992s
0.08s OM OM 0.015s 0.013s 0.016s
FO2 -solver
Z3
1.07s 8.209s 2.82s TO 1.196s TO
0.1s 0.1s 0.103s 0.22s 0.2s 0.16s
web-subscribe web-unsubscribe firewall conf-bid conf-assign conf-display
incorrect Table 1 Running time comparison for example benchmarks
correct
each sub-formula γ of α`001 ,`2 . The transformation guarantees that, for every assignment S of Vψ , S satisfies α`001 ,`2 iff S can be expanded to satisfy B`∀∀ . Let 1 ,`2 B ∀∀ =
^
B`∀∀ (`1 , `2 ) 1 ,`2
1≤`1 ,`2 ≤bnd(ψ)
Appendix D.1 gives the construction of the CNF formula B ∀∀ according to the Tseitin transformation explicitly. The construction of Bψ is finished and Proposition 2 holds. Note that [21] guarantees only that bnd(ψ) is an upper bound on the cardinality of a satisfying model. Therefore, we build a formula Cψ based on Bψ such that Cψ is satisfiable iff ψ is satisfiable by a structure of cardinality at most bnd(ψ). We leave the technical details of the construction of Cψ to the appendix. The algorithm for finite satisfiability of a FO2 -sentence φ consists of computing the SSNF ψ of φ and returning the result of a satisfiability check using a SAT solver on Cψ . Both the number of variables and the number of clauses in CUni(ψ) are quadratic in bnd(ψ).
5 5.1
Experimental Results Details of our tools
The verification condition generator described in Section 3.3.2 is implemented in Java, JFlex and CUP. It is employed to parse the schema, precondition and postcondition and the SmpSL programs. The tool checks that the pre and post conditions are specified in FO2 and that the scheme is well defined. The SMT-LIB v2 [4] standard language is used as the output format of the verification condition generator. We compare the behavior of our FO2 -solver with Z3 on the verification condition generator output. The validity of the verification condition can be checked by providing its negation to the SAT solver. If the SAT solver exhibits a satisfying assignment then that serves as counterexample for the correctness of the program. If no satisfying assignment exists, then the generated verification condition is valid, and therefore the program satisfies the assertions. The FO2 -solver described in Section 4 is implemented in python and uses pyparsing to parse the SMT-LIB v2 [4] file. The FO2 -solver assumes a FO2 -sentence as input and uses Lingeling [5] SAT solver as a base Solver.
5.2
Example applications
We tried our approach with a few programs inspired by real-life applications. The first case study is a simplified version of the newsletter functionality included in the PANDA web
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
administrator, that was already discussed and is shown in Fig. 1.5 The second is an excerpt from a firewall that updates a table of which device is allowed to send packets to which other device. See Appendix C for the code and specifications of the firewall. The third is a conference management system with a database of papers, and transactions to manage the review process: reviewers first bid on papers from the pool of submissions, with a policy that a users cannot bid for papers with which they are conflicted. The chair then assigns reviewers to papers by selecting a subset of the bids. At any time, users can ask to display the list of papers, with some details, but the system may hide some confidential information, in particular, users should not be able to see the status of papers before the program is made public. We show how our system detects an information flow bug in which the user might learn that some papers were accepted prematurely by examining the session assignments. This bug is based on a bug we observed in a real system. See Appendix B for the code and specifications of the conference management system. Each example comes with two specifications, one correct and the other incorrect. The running time in seconds for all of our examples is reported in Table 1. Timeout is set to 60 minutes and denoted as TO. If the solver reaches out of memory we mark it as OM. On the set of correct examples, both solvers answer within a few seconds, Z3 terminates within milliseconds, while FO2 -solver takes a few seconds and times out on some of them. On the set of incorrect examples, Z3 fails to answer while our solver performs well. Note that correct examples correspond to unsatisfiable FO2 -sentences, while incorrect examples correspond to satisfiable FO2 -sentences.
5.3
Examining scalability
Inflated examples. In order to evaluate scalability to large examples we inflated our base examples. For instance, while the subscribe example from Table 1 consisted of the subscription of one new email to a mailing-list, Table 2 presents analogous examples in which multiple emails are subscribed to multiple mailing-lists. The column multiplier details the number of individual subscriptions in each example program. The unsubscribe and firewall example programs are inflated similarly (see Appendix C.1). We have tested both our FO2 -solver and Z3 on large examples and the results reported in Table 2. The high-level of the results is similar to the case of the small examples. On the incorrect examples set Z3 continues to fail mostly due to running out of memory, though it succeeds on the subscribe example. On the correct examples set Z3 continues to outperform the FO2 -solver. Artificial examples. In addition, we constructed a set of artificial benchmarks comprising of several families of FO2 -sentences. Each family is parameterized by a number that controls the size of the sentences (roughly corresponding to the number of quantifiers in the sentence). These problems are inspired by combinatorial problems such as graph coloring and paths. We ran experiments using the FO2 -solver and three publicly available solvers: Z3, CVC4 (which are SMT solvers), and Nitpick (a model checker). The results are collected in Table 3. The artificial benchmarks are available at http://forsyte.at/wp-content/ uploads/artificial-smt2.tar.gz.
5
We omit the confirmation step due to a missing feature in the implementation of the weakest precondition, however the final version of the tool will support the code from Table 1.
13
14
On the automated verification of web applications with embedded SQL
multiplier incorrect correct
1
subscribe unsubscribe firewall subscribe unsubscribe firewall
2.62s 0.779s 0.876s 1.07s 8.209s 2.82s
FO2 -solver 10 0.973s 0.529s 0.723s 98.249s 456.308s 50.142s
100
1
Z3 10
100
4.04s 1.27s 2.251s TO TO 2951.882s
0.08s OM OM 0.1s 0.1s 0.103s
0.126s OM OM 0.11s 0.157s 0.121s
0.203s OM OM 0.116s 0.201s 0.143s
Table 2 Running time comparison on inflated examples
2col
alternating-paths alternating-simple-paths
exponential one-var-alternating-sat one-var-alternating-unsat one-var-nested-exists-sat one-var-nested-forall-sat path-unsat
size
status
Z3
CVC4
Nitpick
FO2 -solver
3 4 5 6 10 11 14 40 2 100 3 4 7 10 3 4 300 5 300 500 2 3 6
unsat sat unsat sat sat unsat sat sat sat sat sat sat sat sat sat sat sat unsat sat sat unsat unsat unsat
0m0.037s TO 0m0.702s TO TO 1m32.664s TO TO 0m0.049s TO TO TO TO TO TO TO 0m0.037s 0m0.026s 0m0.031s 0m0.033s 0m0.033s 0m0.030s 0m0.037s
0m0.076s TO 0m0.477s TO TO 0m30.912s TO TO TO TO TO TO TO TO TO TO 0m0.497s 0m0.073s 0m0.045s TO 0m0.044s 0m0.062s 0m0.891s
TO 0m7.038s TO 0m8.973s 0m37.944s TO 2m13.661s TO 0m11.144s TO TO TO TO TO 0m12.255s 0m15.358s 0m11.605s 0m22.537s 0m7.132s 0m7.183s TO TO TO
TO 0m5.433s TO 0m9.323s 0m19.580s TO TO TO 0m1.105s 0m9.671s 0m6.754s 0m10.128s TO TO 0m1.847s 11m6.482s 0m9.720s 0m54.198s 0m0.562s 0m7.318s 1m37.099s 1m35.451s 1m39.209s
Table 3 Running time comparison on artificial benchmarks
Scalability of FO2 -solver. We shall conclude that the FO2 -solver, despite being a proof of concept in python with minimal optimizations, handles well incorrect specifications (satisfiable sentences) and also scales well on them. However it struggles on the correct specifications and does not scale well. This suggests that in future work we may choose to run both our solver and Z3 in parallel and answer according the first answer obtained. We also intend to explore how to improve the performance of our solver in the case of incorrect examples. By construction, whenever FO2 -solver finds a satisfying model, its size is at most 4 times that of the minimal model. (The constant 4 can be decreased or increased. )
6
Discussion
Related work. Verification of database-centric software systems has received increasing attention in recent years [15]. Tools from program analysis and model-checking are used to reason about the correctness of programs which access a database. Unlike our approach, the services accessing the database are usually provided a priori in terms of a specification in the
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
style of a local contract [30, 26]. The code of the services themselves may be automatically synthesized from the specification, cf. e.g. [19, 20, 15, 16]. The focus of verification then is on global temporal properties of the system assuming the local contracts. In contrast, out goal is to verify that the input code (written by a programmer rather than generated automatically) is correct with respect to a local specification. We discuss this also in Section 6. Several papers use variations of FO2 to study verification of programs that manipulate relational information. [8] presents a verification methodology based on FO2 , a description logic and a separation logic for analyzing the shapes and content of in-memory data structures. [32] develops a logic similar to FO2 to reason about shapes of data structures. In both [8] and [32], the focus is on analysis of shapes in dynamically-allocated memory, and databases are not studied. Furthermore, no tools based on these works are available. A description logic related to FO2 was used in [9] to verify that graph databases preserve the satisfaction of constraints as they evolve. The focus of this work is on the correctness of the database, rather than the programs manipulating it. The verification method suggested was not implemented. In fact, to our knowledge no description logic solver implements reasoning tasks for the description logic counterpart of FO2 studied in [9], not even solvers for expressive description logics such as SROIQ. Verification of script programs with embedded queries has revolved around security, see [18]. However, it seems no other work has been done on such programs. Conclusion and future work. We developed a verification methodology for script programs with access to a relational database via SQL. We isolated a simple but useful fragment SmpSQL of SQL and developed a simple script programming language SmpSL on top of it. We have shown that verifying the correctness of SmpSL programs with respect to specifications in FO2BD is decidable. We implemented a solver for the FO2 finite satisfiability problem, and, based on it, a verification tool for SmpSL programs. Our experimental results are very promising and suggest that our approach has great potential to evolve into a mainstream method for the verification of script programs with embedded SQL statements. While we believe that many of the SQL statements that appear in real-life programs fall into our fragment SmpSQL it is evident that future tools need to consider all of database usage in real-world programs. In future work, we will explore the extension of SmpSL and SmpSQL. Our next goal is to be able to verify large, real-life script programs such as Moodle [1], whose programming language and SQL statements use e.g. some arithmetic or simple inner joins. To do so, we will adapt our approach from the custom-made syntax of SmpSL to a fragment of PHP. We will both explore decidable logics extending FO2BD , and investigate verification techniques based on undecidable logics including the use of firstorder theorem provers such as Vampire [33, 25] and abstraction techniques which guarantee soundness but may result in spurious errors [12]. For dealing with queries with transitive closure, it is natural to consider fragments of Datalog [10]. A natural extension is to consider global temporal specifications in addition to local contracts. Here the goal is to verify properties of the system which can be expressed in a temporal logic such as Linear Temporal Logic LTL [31, 11]. The approach surveyed in [15], which explore global temporal specifications of services given in terms of local contracts, may be a good basis for studying global temporal specifications in our context. Another research direction which emerges from the experiments in Section 5 is to explore how to improve the performance of our FO2 solver on unsatisfiable inputs.
15
16
On the automated verification of web applications with embedded SQL
References 1 2 3
4 5 6 7
8 9 10
11
12
13 14 15 16
17 18 19 20
21
Moodle. http://sourceforge.net/projects/moodle/, 2001–2015. Serge Abiteboul, Richard Hull, and Victor Vianu. Foundations of databases, volume 8. Addison-Wesley Reading, 1995. Clark Barrett, Christopher L. Conway, Morgan Deters, Liana Hadarean, Dejan Jovanović, Tim King, Andrew Reynolds, and Cesare Tinelli. Cvc4. In Proceedings of the 23rd International Conference on Computer Aided Verification, CAV’11, pages 171–177, Berlin, Heidelberg, 2011. Springer-Verlag. Clark Barrett, Aaron Stump, and Cesare Tinelli. C.: The SMT-LIB standard: Version 2.0. Technical report, 2010. Armin Biere. Lingeling, Plingeling, PicoSAT and PrecoSAT at SAT race 2010. 2010. Armin Biere, Marijn Heule, and Hans van Maaren. Handbook of satisfiability, volume 185. IOS press, 2009. Jasmin Christian Blanchette and Tobias Nipkow. Nitpick: A counterexample generator for higher-order logic based on a relational model finder. In International Conference on Interactive Theorem Proving, pages 131–146. Springer, 2010. Diego Calvanese, Tomer Kotek, Mantas Šimkus, Helmut Veith, and Florian Zuleger. Shape and content. In Integrated Formal Methods, pages 3–17. Springer, 2014. Diego Calvanese, Magdalena Ortiz, and Mantas Simkus. Evolving graph databases under description logic constraints. In Description Logics, pages 120–131, 2013. Stefano Ceri, Georg Gottlob, and Letizia Tanca. What you always wanted to know about datalog (and never dared to ask). Knowledge and Data Engineering, IEEE Transactions on, 1(1):146–166, 1989. Edmund M. Clarke, E. Allen Emerson, and A. Prasad Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems (TOPLAS), 8(2):244–263, 1986. Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstraction refinement. In Computer Aided Verification, 12th International Conference, 2000, Chicago, IL, USA, July 15-19, 2000, Proceedings, pages 154–169, 2000. Edgar F Codd. Relational completeness of data base sublanguages. IBM Corporation, 1972. Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, pages 337–340. Springer, 2008. Alin Deutsch, Richard Hull, and Victor Vianu. Automatic verification of database-centric systems. SIGMOD Record, 43(3):5–17, 2014. Alin Deutsch, Monica Marcus, Liying Sui, Victor Vianu, and Dayou Zhou. A verifier for interactive, data-driven web applications. In Proceedings of the 2005 ACM SIGMOD International Conference on Management of Data, SIGMOD ’05, pages 539–550, New York, NY, USA, 2005. ACM. Edsger W Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Communications of the ACM, 18(8):453–457, 1975. Michael Felderer, Matthias Büchler, Martin Johns, Achim D Brucker, Ruth Breu, and Alexander Pretschner. Security testing: A survey. Advances in Computers, 2015. Mary F. Fernández, Daniela Florescu, Alon Y. Levy, and Dan Suciu. Declarative specification of web sites with Strudel. VLDB J., 9(1):38–55, 2000. Daniela Florescu, Valerie Issarny, Patrick Valduriez, and Khaled Yagoub. Weave: A dataintensive web site management system. In In Proc. of the Conf. on Extending Database Technology (EDBT, 2000. Erich Grädel, Phokion G Kolaitis, and Moshe Y Vardi. On the decision problem for twovariable first-order logic. Bulletin of symbolic logic, 3(01):53–69, 1997.
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
22 23 24 25 26 27 28
29 30 31 32
33 34 35 36
Alessandro Grassi and Marco Nenciarini. Panda - the php-based email administrator. http: //panda-admin.sourceforge.net/index.php?mode=home, 2007–2015. Charles A. R. Hoare. An axiomatic basis for computer programming. Communications of the ACM, 12(10):576–580, 1969. Ranjit Jhala and Rupak Majumdar. Software model checking. ACM Computing Surveys (CSUR), 41(4):21, 2009. Laura Kovács and Andrei Voronkov. First-order theorem proving and Vampire. In Computer Aided Verification, pages 1–35. Springer, 2013. S. Kumaran, P. Nandi, T. Heath, K. Bhaskaran, and R. Das. Adoc-oriented programming. In In Symp. on Applications and the Internet (SAINT), 2003. Leonid Libkin. Expressive power of SQL. Theoretical Computer Science, 296(3):379–404, 2003. William Mccune. A davis-putnam program and its application to finite first-order model search: Quasigroup existence problems. Technical report, Argonne National Laboratory, 1994. Michael Mortimer. On languages with two variables. Mathematical Logic Quarterly, 21(1):135–140, 1975. A. Nigam and N. S. Caswell. Business artifacts: An approach to operational specification. IBM Systems Journal, 42, 2003. Amir Pnueli. The temporal logic of programs. In Foundations of Computer Science, 1977., 18th Annual Symposium on, pages 46–57. IEEE, 1977. Arend Rensink. Canonical graph shapes. In David Schmidt, editor, Programming Languages and Systems, volume 2986 of Lecture Notes in Computer Science, pages 401–415. Springer Berlin Heidelberg, 2004. Alexandre Riazanov and Andrei Voronkov. The design and implementation of Vampire. AI communications, 15(2, 3):91–110, 2002. Boris Trakhtenbrot. The impossibility of an algorithm for the decidability problem on finite classes. In Proceedings of the USSR Academy of Sciences, volume 70, pages 569–572, 1950. Grigori S Tseitin. On the complexity of derivation in propositional calculus. In Automation of reasoning, pages 466–483. Springer, 1983. Hugh E Williams and David Lane. Web database applications with PHP and MySQL. O’Reilly Media, Inc., 2004.
17
18
On the automated verification of web applications with embedded SQL
A
PANDA web administrator
A.1
PANDA Source Code: confirm.php
We present the code of newsletters/confirm.php from PANDA Web Administrator version 1.0rc2 in Fig. 5. The code was translated manually to the confirm function in Fig. 1. The biggest difference between the PHP code and the SmpSL code is that the PHP code uses dbh->getRow to perform an SQL query which returns one row, whereas in SmpSL this is divided into two steps: first a SELECT query is executed and then CHOOSE selects one row. Additionally, the PHP code performs some more sanity checks, Figure 5 The code of confirm.php, on which confirm in Fig. 1 is based.
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
A.2
Correcting the Error in Panda Source Code
In Section 2 we described a natural correction of the error in the running example. Under this correction, confirm − corrected satisfies the pre- and postconditions preconfirm and postconfirm from Fig. 2. confirm-corrected(cd,subgh ): A = SELECT subscribe FROM NS WHERE code = cd; if (A = empty) exit; //"No such code" if (subgh = false) UPDATE NS SET subscribed = true, code = nil WHERE code = cd else DELETE FROM NS WHERE code = cd; subgh is no longer a ghost variable. Now it is a second argument to confirm − corrected. The function subscribe, which had generated URLs calling confirm with one argument, namely the confirm code, now generates URLs with an additional argument true. Similarly, unsubscribe generates URLs with the additional argument false.
B
The Conference Management Example
In this example we verify parts of a system for conference management which assigns reviewers to papers and records the reviews and acceptance/rejection decisions. We focus on the earlier parts of the reviewing process: First, potential reviewers (e.g. PC members) bid on papers to review. Based on the bids, reviewers are assigned to the papers (e.g. by the PC chair). An additional functionality of the system that we focus on is displaying the list of papers by a specific author.
B.1
The database
The database contains the following tables and columns: Papers with columns paperId, status, and session. The column status is over the bounded domain consisting of undecided, accepted, or rejected. The column session ranges over the bounded domain consisting of null,blank,invited,1,. . .,k; PaperAuthor with columns userId and paperId; ReviewerBids with columns userId and paperId; ReviewerAssignments with columns userId and paperId; Conflicts with columns userId and paperId. The columns userId and paperId range over the unbounded domain. The key of Papers is paperId. The other tables have a many to many relationship between userId and paperId attesting respectively to the fact that the user is the author of the paper, the user has bid to review the paper, the user has been assigned to review the paper, or the user is in conflict with the paper (and therefore cannot review it). Before the bidding process begins, all papers are assigned the status undecided and the session invited (for an invited paper) or null (for a contributed submission). The session value blank comes up in the display function, and is at the root of a bug in the program.
B.2
The functions bid, assign, and display
The functions bid, assign, and display are referred to as conf-bid, conf-assign, and conf-display in Table 1. The code of the functions bid, assign, and display can be found in Fig. 6. The function bid registers that the user usr is willing to review the paper ppr with the sanity check that there is no conflict between the user and the paper. The table A is either empty whenever no conflict is found, or contains the single row ppr when there is a conflict. The function assign registers that the user usr is assigned to review the paper ppr. The function display receives as input the user id usr and returns the list of papers by usr that should be displayed. If the review phase of the conference is not yet completed (i.e. the Boolean argument stillReviewing has value true), display removes the
19
20
On the automated verification of web applications with embedded SQL
bid(usr, ppr): A = SELECT paperId FROM Papers WHERE paperId = ppr AND NOT (paperId IN (SELECT paperId FROM Conflicts WHERE userId = usr)); if (A = empty) exit; INSERT (usr, ppr) INTO ReviewerBids
assign(usr,ppr): INSERT (usr, ppr) INTO ReviewerAssignments
display-incorrect(usr, stillReviewing): Output = SELECT * FROM Papers WHERE paperId IN (SELECT paperId FROM PaperAuthor WHERE userId = usr); if (stillReviewing = false) exit; UPDATE Output SET session = blank WHERE session IN 1,...,k
display-correct(usr, stillReviewing): Output = SELECT * FROM Papers WHERE paperId IN (SELECT paperId FROM PaperAuthor WHERE userId = usr); if (stillReviewing = false) exit; UPDATE Output SET session = blank WHERE session IN 1,...,k,null
Figure 6 The code of bid, assign, display-incorrect, and display-correct.
session values of contributed papers from the output. This is done to prevent leaking the information that a contributed paper has been accepted (since only accepted papers have sessions) before the status of the paper has been announced. display leaves the status value invited visible. We present two versions of display: one correct and one incorrect. display-incorrect leaves the session value null unchanged. Since null and blank are different values, the information leak which the program tries to avoid is still present. The correct version display-correct differs from display-incorrect by also replacing the status null by blank. This is done by expanding the WHERE condition of the UPDATE.
B.3
The specification
The database preserves two invariants: Inv 1 Inv 2
= =
∀d x, y.ReviewerBids(x, y) → ¬Conflicts(x, y) ∀d x, y.ReviewerAssignments(x, y) → ¬Conflicts(x, y)
These invariants state that no user may bid or be assigned to review a paper with which they are in conflict. The specification of display is as follows: predisplay postdisplay no-leak
= = =
Inv 1 ∧ Inv 2 Inv 1 ∧ Inv 2 ∧ no-leak stillReviewing → (∀d x, y. Output(x, y) → (y = blank ∨ y = invited))
This specification holds for display-correct and does not hold for display-incorrect. For bid and assign we provide two specifications, one correct and one incorrect. The correct specification is as follows: precbid = postcbid = postcassign = Inv1 ∧ Inv2 precassign = Inv1 ∧ Inv2 ∧ ReviewerBids(usr, ppr) In order to ensure that Inv 2 is preserved by assign, we only allow a reviewer assignment to occur if there was a corresponding reviewer bid. Reviewer bids are required to avoid the conflicts by Inv 1 ,
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
and thus Inv 2 is preserved. The incorrect specification for bid and assign is as follows: preic bid preic assign postbid
= = =
Inv 2 Inv2 ∧ ReviewerBids(usr, ppr) postassign = Inv1 ∧ Inv2
It is obtained from the correct specification by omitting Inv 1 from the preconditions.
C
The Firewall Example
In this example we verify a simple firewall with respect to a simple invariant. The firewall is provided with a database consisting of two tables: Device and CanSend. The table Device consists of a single column deviceId. The table CanSend consists of two columns senderId and receiverId. The CanSend table determines whether device A is allowed to send to device B. The global invariant of the firewall requires that there exists a device to which every other device can send: Inv firewall = ∃x (Device(x) ∧ ∀y(Device(y) → CanSend(y, x))) We want to verify that this invariant holds when the network topology is changed. We consider the function delete-device: delete-device(deviceToDelete): DELETE FROM CanSend WHERE senderId=deviceToDelete OR receiverId=deviceToDelete DELETE FROM Device WHERE deviceId=deviceToDelete
Table 1 refers to delete-device in the rows labeled firewall. In this table, we experiment with two specifications. The incorrect specification is: {Inv firewall } delete − device {Inv firewall } This specification is incorrect since it is possible that the only device which can receive messages from all other devices is exactly the device deviceToDelete removed by delete-device. Our correct specification is: {predelete−device ∧ Inv firewall } delete − device {Inv firewall } where predelete−device = ∃x ((x 6= deviceToDelete) ∧ Device(x) ∧ ∀y(Device(y) → CanSend(y, x))) This correct specification ensures that there is a device as required which is not deviceToDelete.
C.1
Inflated examples
As a basic test of the scalability of our approach, in Section 5.3 we created large examples by inflating small examples. Here we illustrate this on the firewall example. The following is the result of inflating delete-device with multiplier 3. The function delete-device3 deletes three devices from the network: delete-device3(deviceToDelete1,deviceToDelete2,deviceToDelete3): DELETE FROM CanSend WHERE senderId=deviceToDelete1 OR receiverId=deviceToDelete1 DELETE FROM CanSend WHERE senderId=deviceToDelete2 OR receiverId=deviceToDelete2 DELETE FROM CanSend WHERE senderId=deviceToDelete3 OR receiverId=deviceToDelete3 DELETE FROM Device WHERE deviceId=deviceToDelete1 DELETE FROM Device WHERE deviceId=deviceToDelete2 DELETE FROM Device WHERE deviceId=deviceToDelete3
21
22
On the automated verification of web applications with embedded SQL
The specifications must be altered correspondingly, so the precondition of the correct specification is changed to: predelete−device3
=
∃x((x 6= deviceToDelete1) ∧ (x 6= deviceToDelete2) ∧ (x 6= deviceToDelete3) ∧Device(x) ∧ ∀y(Device(y) → CanSend(y, x)))
The other pre- and postconditions remain unchanged, since they just consist of the invariant. In Table 2, the rows for firewall correspond to the inflated versions of delete-device with the altered specifications.
FO2 Reasoning
D
This appendix gives more detail on the implementation of our FO2 finite satifiability solver. Section D.1 gives explicityly the Tseitin transformation of the ∀∀-conjuct from Section 4.2.2. Section D.3 discusses our use of a refined bound on the size of the maximal model due to [21] to improve the efficiency of the solver.
D.1
The ∀∀-conjunct
Here we give B ∀∀ explicitly. Let ∀x∀y α0 be the unique ∀∀-conjunct of ψ. The CNF formula B ∀∀ will have clauses which explicitly detail the semantics of ∀x∀y α0 (x, y) on the structure AS . We associate each sub-formula γ(x, y) in α0 (x, y) and `1 , `2 ∈ {1, . . . , bnd(ψ)} with a new Boolean variable uγ`1 ,`2 . B ∀∀ will contain clauses guaranteeing that under any assignment S satisfying Bψ , (4) S(uγ`1 ,`2 ) = T rue iff AS |= γ(`1 , `2 ). 0
0 Additionally, we add to B ∀∀ the clause uα `1 ,`2 for all 1 ≤ `1 , `2 ≤ bnd(ψ) to assert that α all values of x and y. It remains to describe the clauses which define the values of uγ`1 ,`2 according to distinguish two cases, depending on whether γ is an atom of ψ or is obtained by applying connective ∨, ∧, ¬ on sub-formulas. Consider first the case that γ(x, y) = ¬(δ(x, y)). 1 ≤ `1 , `2 ≤ bnd(ψ), we add the clauses
¬uγ`1 ,`2 ∨ ¬uδ`1 ,`2
and
is true for (4). We a Boolean For every
uγ`1 ,`2 ∨ uδ`1 ,`2
whose conjunction is equivalent to uγ`1 ,`2 ↔ ¬uδ`1 ,`2 . The other Boolean connectives are axiomatized similarly. For the case of atoms, uγ`1 ,`2 gets it value from one of the v variables by choosing the indices correctly: R(x,y) If γ(x, y) = R(x, y), then for every 1 ≤ `1 , `2 ≤ bnd(ψ), u`1 ,`2 is assigned the same value as vR,`1 ,`2 by adding the clauses R(x,y)
R(x,y)
¬u`1 ,`2 ∨ vR,`1 ,`2 and u`1 ,`2 ∨ ¬vR,`1 ,`2 R(x,y)
to Bψ . The conjunction of these two clauses is equivalent to u`1 ,`2
↔ vR,`1 ,`2 .
R(x,y)
is assigned the same value as vR,`2 ,`1 .
R(x,x)
is assigned the same value as vR,`1 ,`1 .
R(y,y)
is assigned the same value as vR,`2 ,`2 .
If γ(x, y) = R(y, x), then u`1 ,`2
If γ(x, y) = R(x, x), then u`1 ,`2 If γ(x, y) = R(y, y), then u`1 ,`2 If γ(x, y) = U (y), then
U (y) u`1 ,`2
is assigned the same value as vU,`2 .
If γ(x, y) = U (x), then
U (x) u`1 ,`2
is assigned the same value as vU,`1 .
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
Axiomatizing models of at size at most bnd(ψ)
D.2
Here we continue the discussion postponed to the appendix in Section 4.2.2. Recall that by Proposition 2, Bψ is satisfiable iff ψ is satisfiable by a structure of cardinality exactly bnd(ψ). However, [21] guarantees only that bnd(ψ) is an upper bound on the cardinality of a satisfying model. In this appendix we explain how to construct Cψ so that it is satisfiable iff ψ is satisfiable by a structure of cardinality at most bnd(ψ) as follows. We compute from ψ a new FO2 -sentence Uni(ψ) in SSNF and set Cψ = BUni(ψ) . Let Uni be a fresh unary relation name. Let Uni(ψ) be:
!
m+1
∀x∀y
Uniα (x, y) ∧
^
Fi (x, y) → Uniβi (x, y)
i=1
m+1
∧
^
∀x∃y Fi (x, y)
i=1
with Uniα (x, y) = Uni(x)∧Uni(y) → α(x, y), Uniβi (x, y) = Uni(x)∧Uni(y) → βi (x, y), i = 1, . . . , m, and Uniβm+1 (x, y) = Uni(y). Fm+1 is used to guarantee that Uni is non-empty. Let voc(Uni(ψ)) be the vocabulary of Uni(ψ). I Proposition 3. Let A be a voc(Uni(ψ))-structure. Let AUni be the substructure of A whose universe is Uni A . We have A |= Uni(ψ) iff AUni |= ψ.
D.3
An efficient finite satisfiability algorithm
The algorithm from Section 4.1 on which our algorithm in Section 4.2 is based was written from a theoretical point of view aiming to simplify the proof of the NEXPTIME-completeness of the finite satisfiability problem. In this section, we introduce several optimizations which, while not affecting the complexity of the problem, improve the performance of our satisfiability solver.
D.3.1
A refined upper bound
In the course of the proof of the bounded model property, [21] give a more refined version of the upper bound on the size of a minimal satisfying model. This more refine version leads to smaller upper bounds in many cases. To state the refined upper bound we need some definitions. I Definition 2. (1-types and kings) 1. A 1-type t(x) is a maximally consistent set of atomic formulas and their negations which do not have y as a free variable. 2. For a structure A and an element a of the universe of A, the 1-type of a in A is the unique 1-type t(x) such that A |= t(a). We say that a realizes t in A. 3. Given a structure A and an element a of A, a is a king in A if there is no other element in A with the same 1-type as a. For example, for a vocabulary consisting of one binary relation name R and one constant name c, the following is a 1-type: {R(c, c), R(x, c), ¬R(c, x), R(x, x), ¬(x = c), ¬(c = x), (x = x), (c = c)} I Lemma 3 ([21], Theorem 4.3). Let ψ be a sentence in Skolemized Scott Normal Form and let m be the number of conjuncts of the form ∀x∃y βi as in Eq. (2). Let A be a structure satisfying ψ. Let K be the set of all kings in A and let P be the set of 1-types realized in A. There is a structure of cardinality at most (m + 1)|K| + 3m(|P | − |K|)
(3)
which satisfies A. The bound in Lemma 3 requires already having a model of ψ. However, we can use it to get a bound based on syntactic considerations only. For m ≥ 1, Eq. (3) can be bounded from above by the sum over all 1-types t(x), such that t(x) contributes (m + 1) if t(x) contains x = c for some c ∈ const(ψ),
23
24
On the automated verification of web applications with embedded SQL
and 3m otherwise. Note that the number of 1-types containing x = c for some c ∈ const(ψ) in any one structure is at most |const(ψ)|. Hence, Eq. (3) is at most:
X
|const(ψ)| (m + 1) +
W
t(x)6|=
c∈const(ψ)
3m
(4)
x=c
Notice that this bound does not depend on whether the 1-types in the sum are realized in any structure. It is correct since (1) any 1-type which implies that x = c for any constant is necessarily a king and thus contributes m + 1, while (2) any other 1-type, which may or may not be a king, contributes at most max(m + 1, 3m) = 3m. We can now augment the algorithm in Section 4.2 to use the refined bound from Eq. (4). Our algorithm uses Proposition 1 to transform a FO2 -sentence φ into Scott Normal Form, which adds a new relation name for every quantifier and every connective in φ. This comes at a heavy cost to performance, since the number of 1-types summed over in Eq. (4) is exponential in the number of relation and constant names in Scott Normal Form of φ. In this section we provide a more economic procedure for this purpose, which introduces new relation names only as a last resort. Given a FO2 -sentence φ, we construct a sentence ψ in Scott Normal Form such that φ and ψ are satisfiable by models of the same cardinalities. We construct a sequence of pairs (φk , ψk ), 1 ≤ k ≤ r as follows. The sequence is built according to the process described below. The length r of the sequence is determined by applying the process until no further steps can be applied. The sequence satisfies: – φ0 is the Negation Normal Form6 of φ and ψ0 = ∀x∀y T rue, – φr = T rue and ψr = ψ, – ψk is in Scott Normal Form for all 1 ≤ k ≤ r, and – the sets of cardinalities of the models of φk ∧ ψk are equal for all 1 ≤ k ≤ r. Given (φk , ψk ) we compute (φk+1 , ψk+1 ) iteratively as follows: 1. If φk is in one of the forms: ∀xQy � ∀yQx �
∀x � ∀y �
where � is quantifier-free and Q is a quantifier, i.e. Q ∈ {∃, ∀}, then ψk+1 is obtained from ψk as follows. If Q = ∀, ψk+1 is obtained by adding � as a new conjunct inside the quantifiers ∀x∀y. If Q = ∃, ψk+1 is obtained by adding a new conjunct ∀x∃y � or ∀y∃x � to ψk . We set φk+1 to True. We end the iteration by setting r to k + 1, 2. If φk is a conjunction in which one of the conjuncts γ is of one of the forms in the previous item, then ψk+1 is obtained from ψk as in the previous item and φk+1 is obtained from φk by removing γ from the conjunction. 3. If there is an existential quantifier not in the scope of any other quantifier in φk , then φk+1 is obtained by removing the existential quantifier and replacing all the occurrences of the quantified variable bound to this quantifier with one fresh constant name. We set ψk+1 = ψk . Note for the correctness of this step that we are using here that the formulas are in Negation Normal Form, i.e. this existential quantifier may be in the scope of the ∧ and ∨ operators only. 4. If φk is of one of the following forms, or if φk is a conjunction in which one of the conjuncts γ is of one of the following forms: ∀z1 ((Qz2 δ1 ) ∨ δ2 ) ∀z1 ((Qz2 δ1 ) ∧ δ2 ) ∀z1 (δ1 ∨ (Qz2 δ2 )) ∀z1 (δ1 ∧ (Qz2 δ2 ))
6
An FO formula is in Negation Normal Form (NNF) if the scope of every negation symbol ¬ is an atom. It is well-known that for every FO formula γ, an equivalent formula γ 0 in NNF can be computed in linear time.
S. Itzhaky, T. Kotek, N. Rinetzky, M. Sagiv, O. Tamir, H. Veith, and F. Zuleger
where Q ∈ {∃, ∀}, z1 , z2 ∈ {x, y} and z1 6= z2 , φk+1 is obtained by taking the quantifier Qz2 out of the scope of the Boolean connective. E.g., we substitute ∀z1 ((Qz2 δ1 )∨δ2 ) with ∀z1 Qz2 (δ1 ∨δ2 ). We set ψk+1 = ψk . Note for the correctness of this step that the δj not in the scope of Q does not have z2 as a free variable, since we are dealing with sentences. 5. If φk is quantifier-free, ψk+1 is obtained from ψk by adding φk as a new conjunct inside the quantifiers ∀x∀y in ψk . We set φk+1 to True and end the process by setting r = k + 1. 6. If none of the previous items applied to φk in this iteration, we eliminate one quantifier from φk in spirit of the discussion before Proposition 3.1 in [21]. Let γ be a sub-formula of φk of the form Qz δ, where Q ∈ {∃, ∀}, z ∈ {x, y} and δ is quantifier-free. Let z¯ ∈ {x, y} such that z 6= z¯. The sentence φk+1 is obtained by substituting γ by E(¯ z ) in φk , where E is a fresh unary relation name. Let θ = ∀¯ z ((Qzδ) ↔ E(¯ z )). The sentence θ says that E is interpreted as the set of universe elements u for which Qzδ holds. θ is equivalent to the conjunction of θ∀∀ and 0 0 0 0 θ∀∃ such that θ∀∀ is of the form ∀x∀y θ∀∀ and θ∀∃ is of the form ∀x∃y θ∀∃ , and θ∀∀ and θ∀∃ are 0 quantifier-free. Let ψk+1 be obtained by adding the conjunct θ∀∃ to φk and adding θ∀∀ as a new conjunct inside the ∀∀-conjunct of φk . Only item 6 increases the number of names, so it is only used when no other item applies. The procedure terminates because every item, except for item 4, removes a quantifier when going from φk to φk+1 , and whenever item 4 is applied, in the next iteration either item 1 or item 2 will be applied.
D.3.2
Ruling out unfeasible 1-types
Up until now, we have bounded the number of 1-types which are realized in some structure A satisfying φ with the number of all 1-types. However, it is possible to determine that some 1-types are not feasible in any structure satisfying φ and subtract them from the upper bound. Recall the table NS from the running example in Section 2. NS(x, y) expresses that user y is subscribed to newsletter x. It is natural that the requirement that users and newsletters are disjoint ∀x ((∃y NS(x, y)) → (∀y ¬NS(y, x))) is part of the database invariant. Hence, any 1-type containing NS(x, x) is unfeasible. Let ψ be a sentence in Scott Normal Form such that ψ = ψ∀∀ ∧ ψ∀∃ , where ψ∀∀ = (∀x∀y α) and ψ∀∃ is a conjunction of terms of the form ∀x∃y βi . Any 1-type which is not feasible for ψ∀∀ is certainly not feasible for ψ. Since ψ∀∀ is a universal FO sentence, it adheres to a classical property of universal FO: the class of models of ψ∀∀ is closed under taking substructures. This implies that any feasible 1-type of ψ∀∀ occurs in a structure of cardinality 1. We count the number of unfeasible 1-types which do not contain x = c for any constant name by iterating over all such 1-types t(x) and checking satisfiability of ∀x t(x) ∧ ψ∀∀ by a structure of cardinality 1.
D.3.3
Improved satisfiability testing
The size of the input and the run time of the SAT solver depend on the size of the upper bound bnd(ψ) on the cardinality of the minimal satisfying model, if such a model exists. To guarantee that ψ is unsatisfiable, one must verify that no satisfying model up to that cardinality exists. In contrast, to guarantee that ψ is satisfiable, it is enough to find a satisfying model, which may be much smaller than the bound. Hence, instead of performing the satisfiability test for models of cardinality up to bnd(ψ), we iteratively search for models whose cardinalities 1 = a0 , . . . , ae ≤ bnd(ψ) increase exponentially up to bnd(ψ). For each ai , we construct a CNF formula Cai similar to Cψ , only replacing the maximal cardinality bnd(ψ) with ai , and apply the SAT solver to Cai . We have that ai = 2ai−1 for every 2 ≤ i < e and ae = min(bnd(ψ), 2ae−1 ). The search continues until either we reach the index e for which ae = bnd(ψ) or Cae is satisfiable, and the algorithm returns the truth-value of Cae . This procedure is very often much faster for satisfiable inputs ψ. For unsatisfiable inputs, the run time increase is negligible, since the formulas Ca0 , . . . , Cae−1 are exponentially smaller than Cae = Cψ .
25
![OWASP Automated Threat Handbook Web Applications [PDF]](https://m.moam.info/img/260x300/owasp-automated-threat-handbook-web-applications-p_647d8da3098a9e8d758b45b4.jpg)
